The jsonp-src directive allows additional script sources beyond those defined by script-src but with more limited functionality. JSONP (“JSON + Padding”) is a legacy cross-origin data sharing pattern based on the use of a cross-origin src attribute of a script element. Proper use of the jsonp-src and jsonp-sink directives allows legacy JSONP APIs to be called with security properties equivalent to CORS. [CORS]
The syntax for the name and value of the directive are described by the following ABNF grammar:
directive-name = "jsonp-src"
directive-value = source-list
The term allowed jsonp sources refers to the result of parsing the jsonp-src directive's value as a source list if the policy contains an explicit jsonp-src. Default sources are not valid as allowed jsonp sources if this directive is not explicitly defined.
The term JSON refers to a subset of the ECMAScript Programming Language Standard defined by RFC 4627 [RFC 4627].
The term JSONP refers to a response where the body consists entirely of a single ECMAScript [ECMAScript] CallExpression with a single JSON-text for the value of ArgumentsList, illustrated by the following ABNF grammar:
functionName = <MemberExpression production from ECMAScript 262>
JSONP = functionName *WSP "(" *WSP <JSON-text production from RFC4627> *WSP ");"
Whenever the user agent fetches a URI when processing the src attribute of a script element (including when following redirects) if the URI does not match the allowed script sources, it should next be compared against allowed jsonp sources. If the URI matches, it may be processed if the response body is JSONP.
When evaluating the body as JSONP, if any of the following hold, the user agent must abort processing the script and act as if it had received and empty HTTP 400 response:
· Type(functionName) is not Object
· IsCallable(functionName) returns false
· If functionName is a Direct Call to Eval as defined in 18.104.22.168.1 of ECMAScript 262
· If functionName does not refer to a native ECMAScript object (Scripts allowed via jsonp-source may not call host objects directly.)
· If a jsonp-sink directive is defined and functionName does not match the allowed sinks
The jsonp-sink directive defines the allowed names of functions that may be invoked when processing the src attribute of a script that matches the allowed jsonp sources. The syntax for the name and value of the directive are described by the following ABNF grammar:
directive-name = "jsonp-sink"
directive-value = *WSP *<MemberExpression production from ECMAScript 262> *WSP / *WSP "none" *WSP
If the jsonp-sink directive is undefined or empty, any MemberExpression is allowed as the value of functionName in the JSONP body of the response. If a jsonp-src directive is not explicitly defined, the jsonp-sink directive is ignored.